We outline below our standard terms and conditions which apply to the provision of the Services described in the Letter of Engagement. These documents collectively constitute a legally binding agreement between us. 

We are Leyton Benelux S.A., a company incorporated under Belgian law with its registered office at Chaussée de la Hulpe 166 in Brussels, and with its Dutch operating headquarters at Papendorpseweg 95, 3528 BJ Utrecht, registered with the Dutch Chamber of Commerce under number 70369208 and duly represented by Alexandre GANGJI, CEO Leyton Benelux. Leyton shall be referred to hereunder as “we”, “our” or “us”. You are named in the Letter of Engagement and shall be referred to hereunder as “you” or “your”. Collectively you and us may be referred to as “the Parties”. 

If you are unsure as to the legal implications of this agreement you should seek your own independent legal advice. In agreeing to these terms, you are acknowledging that you have not been induced into entering into this agreement by advice from us regarding its implications or your obligations hereunder”.  


The Client shall provide Leyton with any and all information, data and documents necessary to perform the Services. 

Each Party shall keep any and all information or documents received from the other Party confidential and shall therefore not disclose it to any third party without such other Party’s prior written consent. Notwithstanding the above, the Client hereby authorizes Leyton to indicate in its marketing materials, no reporting, the existence of its relationship with the Client as well as the type of services that are the subject of this Agreement. 


LEYTON shall provide the Client with recommendations upon completion of the audit. LEYTON acknowledges and agrees that the Client shall be free to implement each such recommendation. In case the client refuses to implement one or more recommendations, the Client undertakes not to implement it for a three (3)-year period upon expiration of this Agreement. The Client may, however, change its position at any time within the three (3)-year period in question in which case it shall inform LEYTON thereof and LEYTON shall be entitled to charge the Services in accordance with this Agreement. If the Client decides to implement the recommendations, it shall do so with the assistance of LEYTON up till realization of the Savings. In case of disagreement expressed in writing by the administration, the Client and LEYTON shall agree in good faith on the best course of action for the file.  


For services rendered by Leyton, leading to a successful application as confirmed by the Rijksdienst voor Ondernemend Nederland (RVO.nl), Leyton shall an invoice based on the agreed fee (mixed and/or succesfee). The amounts invoiced by Leyton are payable 30 days after reception. In case of late Payment, Leyton shall be entitled, without any prior notification or legal action, to a late payment interest at the rate set forth in the European Directive (2011/7/EU) which is implemented since March 16, 2013 relating to the fight against late payment in commercial transactions. 


For the avoidance of any doubt, the Client represents and warrants that there is no competing audit in relation to the Services, whether such audit is conducted in-house or by a third party. Therefore, any and all Savings in relation to the Services are deemed to arise from the work of LEYTON within the context of this Agreement, except for any Savings disclosed in writing by the Client on, or before, the signature of this Agreement. 


With regard to the personal data for which it is responsible and in particular those to which LEYTON may have access in connection with the performance of the services, the Client is required to take all necessary precautions with regard to the character of the data and the risks presented by the processing, to preserve the security of the data and, in particular, to prevent the data from being distorted, damaged or that an unauthorised third party gains access to such data. 

In the event that the services entrusted by the Client to LEYTON includes the processing of personal data on behalf of the Client, it shall be the responsibility of the Client to ensure that the measures for security and confidentiality offered by LEYTON are in accordance with the level of care that the Client must take with regard to its obligation for the security of the personal data for which it is responsible and that the guarantees presented by LEYTON to this effect are sufficient. 

In this context, LEYTON may only act on the written instruction of the Client and undertakes, unless instructed to the contrary by the Client: 

  • not to process or consult the data or the files contained therein for any purposes other than the performance of the services that it performs in connection with this agreement; 
  • not to insert any foreign data into the files;
  • not to consult or process any data other than those concerned by the services, even if access to these data is technically possible;  
  • not to disclose, in any form whatsoever, all or part of the data in question

The Parties agree to define the concept of a written instruction as being acquired when LEYTON acts in the context of the performance of this agreement. 

The European regulation concerning the protection of personal data (hereafter the “GDPR” or the General Data Protection Regulation) which is in force establishes a system of responsibility and transparency for the administrations, which assumes taking into account the processing of data from the beginning of putting in place a service or a product. The information of the data subjects concerned by the collection is reinforced, new levels of rights appear, such as the right to the limitation of processing or the portability of the data. 

The Parties thus agreed to define in PROTECTION OF PERSONAL DATA hereof the necessary mechanism for security and protection that will be put in place in order to ensure compliance with the GDPR. 


LEYTON shall use its best effort to perform the Services in accordance with the applicable state-of-the-art. It is expressly agreed that the obligation of LEYTON is an obligation of conduct and not an obligation of results. In case the Savings realized by the Client are to be reimbursed, LEYTON shall refund the fees paid by the Client pro rata to the amount of Savings to be reimbursed, till a maximum of 50% (first invoice). Except in case of willful intent, LEYTON’s liability as a result of, or in relation to, this Agreement shall not exceed the amount of the fee set forth in Article 3 hereof. LEYTON shall not be held liable for any loss of profit/income, loss of business, indirect, special, ancillary or consequential damages or for any replacement costs, regardless of the legal ground thereof. 


This Agreement shall be governed by and construed in accordance with Dutch law. Each Party irrevocably submits to the exclusive jurisdiction of the courts of Utrecht, the Netherlands over any claim or matter arising under or in connection with this Agreement.  


This annex is an integral part of the agreement and serves as a written agreement for the processing of data between LEYTON, the sub-contractor for the personal data, and its Client, the processing controller which provides the personal data in the context of the services by LEYTON. 

The annex defines the technical measures and the organisation connected with the security that LEYTON puts in place in order to protect the personal data to which it has access.  

The Client, as the data controller, and LEYTON, as the sub-contractor, have consequently taken the following provisions: 


In the context of the agreement between the parties, the data controller shall have reason to use the personal data, including certain data of a sensitive nature. 

LEYTON shall be called on in its capacity as sub-contractor, to intervene with regard to these same data in the context of the service described in the Agreement. 

Objective, nature and purpose of the processing in the context of the Agreement  

The objective and exclusive purpose of the processing of the personal data is: 

  • the preparation, realisation, monitoring and provision of the services and benefits described in the Agreement;
  • the communication to the interlocutors authorised by the Client and described in the Agreement;

In accordance with the provisions of the Agreement, the processing is realised with the goal of analysing in general the employer social security contributions and requires: 

  • Monthly list of employees (RNT)
  • Statement of employer’s social security contributions.
  • Statement of employee social security contributions (Idc/rl-nss) 
  • CVs of workers involved in projects
  • Business’s organigram
  • Collective bargaining agreement or work schedule
  • Register of working hours of workers involved in projects
  • Technical documentation of RD&I projects
  • Last two corporation tax returns
  • Form 190 and/or monthly payrolls
  • Invoices and evidence of payment of direct costs of projects
  • Accounting entries of direct costs of projects
  • Last annual accounts submitted to Trade Register
  • Forecast and provisional accounts for the years for which relief is sought
  • Certificates of no outstanding tax or social security liabilities
  • Documentary evidence of the signature authority of the applicants and/or substantiated reports.


The duration of the specific processing is limited to the duration for performing the administrative processing action for absences, namely 3 years. 

Type of personal data processed 

The personal data processed in the context of the agreement in question concern the following categories of data: 

  • Identity: surname, first names, sex, date of birth, taxpayer identifying number (NIF)
  • Salaries and social security contributions
  • national insurance number
  • information on work history (sick days, absences, leave, jobs)

Certain of these data are considered to be sensitive considering the character of their content. 

Categories of data subjects  

The personal data concern the following categories of persons:   Employees of the Client 


With regard to the character of the data processed and their potential use, the Client guarantees that it shall comply with its obligations in terms of information for the persons whose personal data will be subject to processing in the context of the agreement, as well as the legality of the processing that it performs. 


In its capacity as sub-contractor for the personal data, LEYTON undertakes to take all of the appropriate measures necessary for it and for its personnel to comply with these obligations and in particular:  

  • not to process or consult outside of the context of the documented instructions received from the Client, including those which concern the transfer of personal data to a country outside of the European Union or an international organisation, unless LEYTON is required to do so on the basis of an imperative provision resulting from European Union law or the law of the Member State to which it is subject. In this case, LEYTON informs the Client of this legal obligation before the processing of the data, unless the law in question prohibits such information for important reasons of public interest;
  • to ensure that the persons authorized to process the personal data undertake to observe the confidentiality or are subject to an appropriate legal obligation of confidentiality;
  • to take all measures required in terms of security, in accordance with the article “Security” set out below;
  • to immediately inform the Client in the case of a violation of the regulations on data files and liberties.

LEYTON undertakes moreover to implement at the Client’s request the resources and measures that are appropriate and reasonable in order to assist the Client to: 

  • perform its obligation to accede to the requests by persons concerned by the processing, contact it with regard to the exercise of their rights (particularly of access, rectification or deletion, limitation, opposition or portability);
  • guarantee the compliance with the obligations for which it is responsible in terms of security, notification to the oversight authorities and communication to the data subjects of violations of personal data, analysis of impact, and prior consultation (in accordance with Articles 32 through 36 of the European Union Regulation 2016/679), considering the nature of the processing and the information that is available. 

Any request for assistance to the Client that requires the mobilisation of means, resources or measures that are not reasonable shall constitute an additional service that is invoiced on the basis of the time spent and which, before being performed, shall be subject to an estimate that must be accepted by the Client. 

LEYTON acknowledges and accepts that it may only act in terms of the processing of the data and the files to which it may have access in accordance with the terms hereof and the Agreement. 


With regard to the type of data and the risks presented by the processing, and considering the state of knowledge, the cost for implementing and the character, scope, context and purposes for the processing as well as the risks for the rights and liberties of physical persons, LEYTON undertakes to take all measures necessary in order to preserve the security of the data and the files, and in particular to prevent any distortion, alteration, damage, destruction, either accidentally or illicitly, any loss, disclosure and/or any access by a third party which is not authorised in advance. 

Consequently, LEYTON shall implement appropriate technical and organisational measures in order to preserve a level adapted to the security of the data, with regard to the character of the data and the risks presented by the processing, and in particular, to prevent them from being distorted or damaged, and to prevent any access that may not have been authorised in advance by the Client. 

The means put in place by LEYTON intended to ensure the security and the confidentiality of the data are defined below:  

  • physical security: access to the offices secured by badges, etc.; 
  • logical security: a proxy server for the limitation of access by internet, firewall with detection and prevention of intrusions, anti-virus on all of the workstations, log management, nominative login system, etc.; 
  • organisational security: signature of an information charter which prohibits the recording of data and regulates the use of information systems and the principles of confidentiality; the confidentiality clause in the Employment Agreements, etc. 


LEYTON undertakes to notify the Client as soon as possible after becoming aware of any violation of any personal data, or any violation of the security causing, either accidentally or illicitly, the destruction, loss, alteration, or unauthorised disclosure of personal data transmitted, retained or processed in any other manner, or the unauthorised access to such data when they may cause harm to the rights of the data subjects.  

This notification must be sent to the Client by electronic mail. It must, to the extent possible, specify the character and the consequences of the violation of the data as well as the measures already taken or those that are proposed in order to remedy the situation. 

LEYTON undertakes to collaborate with the Client in order to be able to meet its obligations in terms of notification of the supervisory authorities as well as, if necessary, the data subject.  

Additional services of assistance, such as analysis or investigative services concerning the origin and the consequences of the violation of the data, may be realised by LEYTON at the request of the Client, after validation of an estimate or an order. They are invoiced on the basis of the time spent.  


The Client, acting, as the case may be, on behalf of its affiliated companies, authorises LEYTON to engage sub-contractors in the sense of the regulations on computer information and liberties for the processing of personal data. 

The list of the sub-contractors, in the sense of the regulations on computer information and liberties (hereafter, the “subsequent sub-contractors”) is the following:  

  • Any company of the LEYTON group located in the European Union  
  • With possible recourse to its French lawfirm Conseil Onelaw if a point of law must be specified 

LEYTON may revoke, replace or appoint subsequent sub-contractors subject to the following provisions: 

  • LEYTON shall impose on the subsequent sub-contractor the same obligations in terms of the protection of data as those set in this annex and in the Agreement; 
  • LEYTON shall inform the Client by electronic mail in advance (except in the case of an urgent replacement) of any modifications that may affect the list of subsequent sub-contractors. The Client is required to inform LEYTON of any valid reason for opposition in writing within fifteen (15) days following receipt of the electronic mail. If the Client does not manifest its opposition by registered letter with proof of delivery within fifteen (15) days following receipt of the electronic mail from LEYTON, the new subsequent sub-contractor(s) shall be considered to have been accepted by the Client. In the case of a valid opposition by the Client, LEYTON may, at its request, (i) waive the idea of using a subsequent sub-contractor or (ii) take the corrective measures sought by the Client or (iii) confirm to the Client that it will use the subsequent sub-contractor despite the Client’s opposition. In this last case, the Client has the right to terminate the Agreement at its convenience within a period of one month following the date of receiving confirmation of the use of the sub-contractor.  

When its subsequent sub-contractors do not meet their obligations in terms of data protection, LEYTON shall remain fully responsible before the Client for the performance of their obligations by the subsequent sub-contractors. 


In the event of the transfer of personal data to a third party country which does not belong to the European Union, LEYTON must obtain the prior written consent of the Client. If this consent is given, LEYTON undertakes to cooperate with the Client in order to ensure: 

  • observance of the procedures that allow compliance with the regulations on computer files and liberties, for example in the case when authorisation on the part of the CNIL appears to be necessary;  
  • if needed, the conclusion of one or more Agreements allowing for the regulation of the trans-border flow of data. LEYTON undertakes in particular, if necessary, to sign such Agreements with the Client and/or to obtain the conclusion of such Agreements by its subsequent sub-contractors. In order to do so, the parties agree that the standard contractual clauses published by the European Commission shall be used in order to regulate the trans-border flow of data. 


LEYTON shall keep up to date a registry of the processing activities carried out on behalf of the Client. 


Under the terms of the Agreement, and unless provided expressly to the contrary by the law of the European Union or the law of a Member State of the European Union applicable to the processing that is the subject of this Agreement, LEYTON undertakes to destroy all of the physical or computer files which store the collected information. 

In the event that the law of the European Union or the law of a Member State requires the retention of the personal data, LEYTON shall inform the Client of this obligation and shall than erase the data within 1 week. 

An additional service of reversibility may be sought by the Client in accordance with the provisions of the Agreement


LEYTON undertakes to collaborate in a reasonable manner and to provide to the Client all of the information necessary in order to: 

  • demonstrate observance of their contractual obligations in terms of the processing of personal data as well as with regard to the regulations on computer information and liberties,  
  • allow the performance of an audit concerning the protection of data to be carried out by the Client or by an authorised supervisory authority. 

The costs associated with these audits, including the costs for mobilising the resources of LEYTON, shall be directly borne by the Client, on the basis of the time spent. 

Unless indicated to the contrary in the mandatory applicable data protection law, an audit carried out by the Client must observe the following conditions: 

  • the audit may be carried out a maximum of one time every twelve (12) months; 
  • an audit must not last more than two (2) working days; 
  • the Client must inform LEYTON by means of reasonable written advance notice (of at least sixty (60) days, unless a data protection authority requires the Client to carry out a control within a shorter timeframe in application of a mandatory applicable regulation concerning data protection) by registered letter with proof of delivery and specifying the scope and the terms for the audit; 
  • LEYTON and the Client must mutually agree in advance with regard to the scope and the programme of the audit, which must rely as much as possible on the existing certifications and audit reports allowing LEYTON’s compliance with this Agreement to be verified; 
  • the Client shall ensure the signature of a confidentiality commitment by its auditors, who may not be a direct competitor of LEYTON or one of its former employees;  
  • the audit must not interfere with the capacity of LEYTON to provide its services in accordance with the Agreement.